Encrypt your data and devices
Why encryption is important
You may have read about incidents where personal data has been stolen, lost or subject to unauthorised access. In most cases, these were caused by data being inadequately protected or the devices the data was stored on being left in inappropriate places.
It is UCL’s legal obligation to ensure that personal data is processed safely and securely. There are a number of ways to do this, encryption being one of them. You can encrypt your laptop (hard disk), individual documents and emails.
Properly applied encryption is an excellent way to protect confidential information. If you have taken reasonable steps to apply strong encryption, this is a very good way to demonstrate that you have attempted to apply appropriate security, should you need to explain or justify your actions.
Top queries
- What data should I encrypt and when?
Any personal data classed as “special category personal data” by the Data Protection Legislation. Any sensitive, confidential and highly confidential data, that is not in the public domain i.e financial and organisational internal affairs information.
Personal data in any quantity where its protection is justified because of the nature of the individuals, source of the information, or extent of the information.
To protect the confidentiality of UCL’s information data should be encrypted when you send data via email (transfer), or storing data on UCL managed services (storage) (N and S drive, UCL OneDrive, UCL Sharepoint).
- What should I do before transferring sensitive and personal data?
Ask yourself why ‘Why am I sending personal data? Could this data be sent without the personal details?’ If you still need to send the personal data use one of the following options:
1. Email: encrypt the file as explained below. Contact the recipient to tell them the password. Do not include the password in the email with the file!
2. Create a shared folder on the S: drive where you can save the file and grant the recipient access to the folder, and notify them when the file is ready for collection.
3. If this is going to be regular task, create a SharePoint site. Restrict access to folders to the recipient only. Upload your file to the folder and notify the recipient that the file is ready for collection.
4. Upload the file to UCL OneDrive. Share the link to the file with the recipient.
For external UCL transfers:
Where ever possible use a secure web interface to transfer the data You may upload the file to UCL OneDrive and share the link with the external recipient. You should encrypt the file and share the password separately If you have no other alternative, then encrypt the file using 7Zip and e-mail the file. Do not include the password in the file transfer. Contact the recipient and provide them with the password.
Guidance documentation from the Information Security Group
- Guidance on the Storage of Sensitive Data on Portable Devices and Media
- Guidance on Encryption of Email and Email Attachments